IS Risk & Assurance Advisor (Applications Platforms and Data)

About The Position

Requirements

• Maintains and evolves the technology risk and control library, mapped to internal policies and external frameworks (e.g. ISO/IEC 27001/2, Essential Eight, CMMC, and client requirements).
• Defines and governs platform‑specific control objectives across applications, data, AI, online/web, DNS, and development domains, including control intent, ownership, assurance approach, success criteria, and evidence expectations.
• Provides independent oversight, challenge and advisory input to Applications, Data & AI, Technology, and Web/Digital teams to support the embedding of controls by design within business plans and delivery approaches.
• Designs and executes a risk‑based technology assurance program, including control design and operating effectiveness assessments for in‑scope platforms and services.
• Leads thematic and deep‑dive reviews (e.g. domain/DNS hygiene, AI use‑case onboarding, web application release quality, development practices, and data access controls), and govern remediation planning and outcomes with accountable control owners.
• Validates control evidence, manages findings, tracks remediation progress to closure, and escalates material control weaknesses, non‑conformances, and risks in accordance with governance thresholds.
• Produces regular CIO/CTO Platform Assurance reporting, including control effectiveness ratings, risk heat maps, key risk indicators (KRIs), trend analysis, and material risks and issues.
• Supports internal and external audits and client assessments, providing defensible assurance artefacts, evidence, and subject‑matter expertise.
• Delivers clear, actionable insights highlighting control gaps, emerging risk themes, and prioritised improvement recommendations.
• Provide second‑line oversight of AI risk management, including governance of AI use‑case risk assessments, data protection controls, logging and traceability, and model/service control expectations.
• Provide second‑line oversight of the online and web environment, including secure configuration standards, development and release practices, lifecycle controls, defect leakage metrics, and domain portfolio governance (e.g. renewals, registrar lock, DNS change control, DNSSEC where applicable, data privacy, and name server posture).
• Monitors and assess regulatory, compliance, and client requirement changes, and manages their impact on the technology control and assurance environment.
• Provides insightful dashboards and reporting to senior leadership and governance committees to support informed risk‑based decision‑making.
• Champions continuous improvement in technology risk and assurance practices, and mentor team members within the IS Risk & Compliance function
• Bachelor’s degree in Information Security, IT, or related field
• Knowledge of ISO/IEC 27001, NIST SP 800-171, CMMC L2, IRAP/ISM/PSPF/DSPF ASD E8ML3
• 5–10 years in IT and controls-related roles
• Strong coordination, design, testing, and risk-related skills
• Excellent communication, documentation, and stakeholder engagement abilities

Responsibilities

• Maintains and evolves the control library mapped to internal policies and external frameworks (e.g., ISO/IEC 27001/2, Essential Eight, CMMC, client requirements).
• Defines platform‑specific control objectives for applications, data, AI, online/web, DNS, development, including control owners, test procedures, success criteria, and evidence requirements.
• Partner with Applications, Data & AI, Technology and Web/Digital teams to embed controls by design in business plans.
• Runs a risk‑based assurance program (design/operating effectiveness testing) for target platforms.
• Executes thematic reviews (e.g., domain/DNS hygiene, AI use‑case onboarding, web app release quality, development practices, data access controls) and facilitates remediation plans with owners.
• Validates control evidence, tracks findings to closure, and escalates material non‑conformances and risks.
• Produces monthly CIO/CTO Platform Assurance Reporting: control effectiveness ratings, heat maps, KRIs, trend analysis, and material risks/issues.
• Supports internal/external audits and client assessments with defensible evidence.
• Delivers actionable insights highlighting control gaps and recommended fixes.
• Coordinates AI use‑case risk assessments, data protection measures, logging/traceability, and model/service controls.
• Provides oversight of the web environment, secure configuration, code development and promotion, protections, lifecycle, CSP/HSTS usage, defect leakage metrics and domain portfolio governance (renewals, registrar lock, DNS change control, DNSSEC (where relevant), data privacy, and name server posture).
• Identifies changing regulatory and compliance alignment, managing change and impacts to the controls environment
• Provides insightful dashboards and reports to senior leadership and governance committees
• Champions continuous improvement in the domain, team and mentor team members

Benefits

• 401K - Employees are eligible to participate on the first day of the month following 3 months of service
• Paid time off – Our PTO benefit is designed to provide eligible employees with a period of rest and relaxation, sick, and personal time throughout the year. PTO starts at 16 days per year and increases with years of service
• Holiday Pay - Holiday pay is provided for eligible employees. GHD observes 9 holidays per year. Holiday pay will be based on the regular set schedule for the employee
• Wellness Benefit- Regular full-term employees are eligible to participate in the wellness reimbursement program. GHD will reimburse 50% of the cost of the following to maximum of $250.00 reimbursement annually for such items as: Health club membership fees, Home exercise equipment purchases, Bicycles, Race, run & marathon entrance fees, Smoking cessation programs, Weight loss programs (i.e.—Weight Watchers, Jenny Craig), Fitbits and Fitness Tracking devices